sops: 增加多机器管理下的标准密钥流程

home/standalone/.zsh.d/nix.zsh

@@ -1,5 +1,7 @@
 #!/usr/bin/env zsh
 
+export O4_FLAKES="$HOME/flakes"
+
 if command -v direnv &> /dev/null; then
     eval "$(direnv hook zsh)"
 fi
@@ -16,7 +18,7 @@ o4-home-switch() {
   home-manager switch --flake ~/flakes#$(whoami)@$(hostname)
 }
 
-sops-update-file() {
+o4-sops-update-file() {
   local src_file="$1"
   local yaml_file="$2"
   local age_key_file="$HOME/.config/sops/age/keys.txt"
@@ -53,12 +55,12 @@ sops-update-file() {
   return $rc
 }
 
-sops-update-ssh-config () {( set -e
+o4-sops-update-ssh-config () {( set -e
     local SSH_CONFIG=$HOME/.ssh/config
-    local FLAKES=$HOME/flakes
+    local FLAKES=$O4_FLAKES
 
     $EDITOR $SSH_CONFIG
-    sops-update-file $SSH_CONFIG $FLAKES/secrets/ssh-config.yaml
+    o4-sops-update-file $SSH_CONFIG $FLAKES/secrets/ssh-config.yaml
     pushd $FLAKES
     if [[ -z "$(git status --porcelain)" ]]; then
         git add .
@@ -66,3 +68,43 @@ sops-update-ssh-config () {( set -e
     fi
     popd
 )}
+
+O4_SOPS_MACHINE_KEY_DIR="/var/lib/sops-nix"
+O4_SOPS_MACHINE_KEY_FILE="$O4_SOPS_MACHINE_KEY_DIR/key.txt"
+
+o4-sops-machine-key-init () {
+  # check sudo
+  if [[ $EUID -ne 0 ]]; then
+    echo "require root" >&2
+    return 1
+  fi
+
+  # check folder and file
+  local key_dir="$O4_SOPS_MACHINE_KEY_DIR"
+  local key_file="$O4_SOPS_MACHINE_KEY_FILE"
+  mkdir -p $key_dir
+  if [[ -f "$key_file" ]]; then
+    echo "key exists: $key_file" >&2
+    return 1
+  fi
+
+  # keygen
+  install -d -m 0700 -o root -g root $key_dir
+  age-keygen -o $key_file
+  chmod 0400 $key_file
+  age-keygen -y $key_file
+
+  # print pub key
+  grep "^# public key: " $key_file | cut -d ' ' -f 4
+}
+
+o4-sops-machine-key-print-pubkey () {
+  local key_file="$O4_SOPS_MACHINE_KEY_FILE"
+  if [[ ! -f "$key_file" ]]; then
+    echo "key file not found: $key_file" >&2
+    return 1
+  fi
+
+  grep "^# public key: " $key_file | cut -d ' ' -f 4
+}
+